[6bone] non-global address space for IXs (was: 2001:478:: as /48)

Michael Richardson mcr@sandelman.ottawa.on.ca
Sun, 07 Sep 2003 15:57:14 -0400


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "John" == John Fraizer <tvo@EnterZone.Net> writes:
    John> Gert,

    John> If you're not running RPF, I have to ask, Why Not?  Do you just want
    John> desperately to be the source of spoofed traffic?

  If one runs RPF on the customer facing interfaces, that is usually enough.
  I'm surprised that you are able to run RPF on interfaces that point into a
DFZ. Maybe there is magic I don't know about.

  If one has customers purchasing transit at an IX, then the IX interface
becomes a customer facing one, sure. But, in that context, I don't see
why you wouldn't take that connected route (to the IX) and distribute it
internally.
  (We certainly find it useful to be able to ping our peers and vendor's
interfaces to make sure they are up...)

  So, the only time that RPF would kill you is if the packet transitted
multiple IXs, and had MTU constraints at the "distant" IX. 

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP1uNmYqHRg3pndX9AQHVsQQAqoyeLhBXb7k+myYTFnHru/mol7G/JDdL
xzhGnGnG62rqFZr8sxy8jTUPXtWMipU8wiPB58HoHug2qyqe99pNqWqblNUw1ZE1
66QmQJnh0e+bD3sWg3+x5wIY53bqxEgVIrXe5aArpIBiBITb+y8z1Tfi9zlL+DwS
bw7hNhxNp/k=
=olfk
-----END PGP SIGNATURE-----